Deputy Director of IT Risk & Compliance

At the MBTA we envision a thriving region enabled by a best-in-class transit system. Our mission is to serve the public by providing safe reliable and accessible transportation. MBTAs Core Values are built around safety service equity sustainability and culture. Each employee that works for the MBTA performs their roles based on our vision mission and values. This includes attendance participation and contribution in local safety committee meetings as needed.

The Deputy Director of IT Risk & Compliance Management provides strategic and operational leadership over enterprise technology risk compliance and governance functions across the MBTA. The role safeguards information assets by operationalizing security and privacy control frameworks orchestrating supply chain and vendor risk diligence and translating risk posture between executive-level dashboards and actionable remediation plans. The Deputy Director fosters a high-performance culture of security awareness drives policy governance and serves as a trusted advisor to senior leadership on emerging risks spanning legacy cloud DevOps and Operational technology environments.

• Direct the risk management lifecycleidentification assessment response monitoringfor IT and OT systems ensuring alignment with NIST CSF NIST800-53 ISO27001 CIS and applicable privacy mandates (e.g. MA201CMR17.00 GDPR CCPA).
• Maintain an authoritative inventory (Risk Register) of business technology regulatory contractual and organizational security related risks; oversee continuous control testing and issue management.
• Design and run a robust Supply-Chain Risk Management (SCRM) program including third-party onboarding due-diligence assessments (SOC2 ISO27001 PCIDSS FedRAMP CMMC) and ongoing performance monitoring.
• Coordinate with Procurement and Legal to embed security clauses and right-to-audit provisions in contracts.
• Develop socialize and maintain MBTA information security and privacy policies; drive adoption through targeted awareness campaigns phishing simulations and organization-wide training.
• Evangelize a Security-First mindset via townhalls brownbag sessions and executive briefings.
• Administer and optimize GRC portals (e.g. ServiceNow Archer) for controlcatalogues risk registers exception management and board-level metrics.
• Integrate vulnerability incident and asset data to deliver end-to-end traceability from findings to remediation and residual risk reporting.
• Produce concise data-driven dashboards and briefings for the CISO CIO Board and federal regulators (TSA FTA DHS/CISA).
• Present program status risk trending and budget justification in publics peaking forums executive committees and industry conferences.
• Lead mentor and develop a diverse team of risk analysts and compliance specialists; cultivate psychological safety accountability and continuous learning.
• Champion collaboration across Operations Engineering Legal Audit and Finance to embed security into MBTAs technology and business roadmaps.
• Evaluate emerging threats technologies and regulatory changes; recommend process enhancements automation and tooling (e.g. IRM workflows AI assisted control testing).
• Serve as primary interface for internal/external auditors and regulatory bodies; coordinate evidence collection track remediation commitments and attest to control effectiveness.
• Perform all other duties and projects that may be assigned.

Supervision

• Manage a team of engineers and administrators.

• Bachelors degree from an accredited institution in Computer Science or a related field.
• Five (5) years of progressive IT risk compliance or cybersecurity governance experience within large complex environments.
• Two (2)years of supervisory managerial and/or leadership experience.
• Demonstrated implementation of NIST800-53/CSF ISO27001/27701 CISControls ITIL COBIT and privacy regulations.
• Working knowledge of network cloud (AWS/Azure) DevOps pipelines legacy on-prem systems security tooling (SIEM EDR IAM) and vulnerability management platforms.
• Handson administration of GRC suites (ServiceNow GRC Archer Origami Armis Nazomi) and phishing training platforms (KnowBe4 Proofpoint Cofense).
• Exceptional verbal and written communication publics peaking and executive level presentation skills.
• At least one of: CRISC CISM CISSP CISA; willingness to achieve additional certifications as needed.

• A High School Diploma or GED with an additional seven (7) years of directly related experience substitutes for the bachelors degree requirement.
• An Associates Degree from an accredited institution and an additional three (3) years of directly related experience substitutes for the bachelors degree requirement.
• A Masters Degree in a related subject substitutes for two (2) years of general experience.
• A nationally recognized certification or statewide/professional certification in a related field substitutes for one year of experience.

Preferred Experience and Skills

• Seven (7) or more years of progressive IT risk compliance or cybersecurity governance experience within large complex environments.
• Three (3)or more years in a supervisory/leadership capacity.
• Additional credentials (e.g. CGEIT CCSP ISO27001 Lead Auditor PMP).
• Experience with federal critical infrastructure directives (TSA SD1580/C NISTSP80082).
• Exposure to operational technology (OT) environments and rail/transit systems.
• Record of thought leadership through conference speaking publication or standards body participation.
• Strategic thinker with a hands-on results driven approach.
• Analytical mindset and quantitative skills; comfort with ambiguity and rapid change.
• Demonstrated integrity ethical judgement and commitment to public service.
• Ability to inspire teamwork inclusivity and a culture of continuous improvement.

Job Conditions:

• Ability to effectively read comprehend communicate and respond to instructions orders signs notices inquiries English.
• Be at least eighteen (18) years of age except if participating in an approved high school internship / co-op program.
• Ability to commute to assigned work locations in the Boston MA metro area as required by the role.
• Ability to provide internal and external customers with courteous and professional experiences.
• Ability to work effectively independently and as part of a diverseworkforce team (or supervise if required).
• Ability to uphold the rights and interests of the MBTA while building and maintaining effective relationships with employees and co-workers.
• Ability to adhere to rules regulations collective bargaining agreements (if applicable) and policies of the MBTA including the EEO anti-discrimination anti-harassment and anti-retaliation policies.
• Have a satisfactory work record for the two (2) years immediately prior to the closing date of this posting (unless if current student or recent graduate) including overall employment job performance discipline and safety records (infractions and/or offenses occurring after the closing of the posting and before the filling of a vacancy may preclude a candidate from consideration for selection).
• Ability to pass a Criminal Offender Record Information (CORI) check comprehensive background screening and / or medical Clinic screening potentially including physical examination and drug and alcohol screenings.
• Ability to work all shifts and / or locations assigned directed or necessary for this position including (for some transit / operations roles) up to twenty-four (24) hours per day seven (7) days per week as necessary to accommodate severe weather conditions emergencies or any other circumstances that may potentially impact service or the safety of service.
• Intern / co-op staff must be enrolled full or part-time in an accredited educational program and maintain a cumulative GPA of at least 2.5 for the entire duration of the internship / co-op. Additionally interns / co-ops must have valid work authorization and U.S. Social Security Numberprior to starting pre-employment screenings / pre-boarding working in their positions and throughout the duration of their program.

Disclaimers and Definitions:

1. General Disclaimer: The statements contained in this job description are intended to describe a summary general nature and complexity of typical job functions and do not represent an exhaustive list of all duties tasks and responsibilities required of staff assigned to this position.
2. Application Completion: It is each applicants responsibility to ensure application details are entered completely and correctly including updated work and education histories (past and current). Incomplete applications may not be considered. Attachments do not substitute for application fields. The recruitment team does not have access to existing employee data / history.
3. Application Deadlines:Applicants should apply as soon as possible as the MBTA may stop considering applicants after a sufficiently large applicant pool is established.
4. Work Environment:The physical demands and work environment characteristics described here-in are representative of those an employee may encounter while performing the essential functions of this job. Reasonable accommodations can be made to enable individuals with disabilities to perform essential functions. See job description for role-specific requirements.
5. Work Eligibility:All employees must be legally authorized to work in the United States and on an unrestricted MBTA does not have an employer work sponsorship program. However if you have unrestricted work authorization or are sponsored by a separate entity you are welcome to all persons hired will require a U.S. Social Security Number prior to starting the position and employees will be required to complete a Form I-9 to verify their identity and eligibility to work in the U.S.
6. Interviews:Candidates should ensure they arrive on time are prepared can remain for the duration and if remote are in a quiet place without distraction for the interview. Candidates who do not attend their interview without advance authorization including an email confirmation of a rescheduled time/date from Human Resources will be considered a no-show and disqualified from consideration for the position. Related to rescheduling on a one-time basis and due to something emergent you may be allowed to reschedule the addition Human Resources may require documentation supporting the request. However should you need to reschedule you will need to contact your Recruiter directly by email.
7. Safety Sensitive Positions:Employees working in this classification will be subject to periodic physical examinations plus random drug and alcohol testing.
8. On-call or 24/7 Positions:Employees working in this classification must be available to respond to page / text / call and report to work as determined by assigned department or the Authority.
9. Essential / Emergency Staff:During declared states of emergency employees working in this classification are required to report to work for their assigned work hours or as directed by management.
10. ADA Accommodations: The MBTA makes reasonable accommodations for applicants with disabilities. If you require an accommodation during this process please contact the MBTAs ADA Unit at or .
11. Diversity Equity and Inclusion:The MBTA is an Equal Employment Opportunity Employer. For terms descriptions and definitions related to diversity equity inclusion veteran status and immediate family members that you may find on the application form please visit / Co-Op Benefits: Employees taking part in an internship orco-opat the MBTA are eligible to receive accrued paid sick leave as well as a monthly transportation pass based on the city from which the intern / co-opcommutes to workat no cost. However no additional benefits are currently offered for interns orco-ops.